Bug 1058625

Summary: QEMU core dumped when boot guest with 4 qxl devices (spice with 4 monitors) specified 512MB
Product: Red Hat Enterprise Linux 7 Reporter: Sibiao Luo <sluo>
Component: spiceAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: cfergeau, dblechte, flang, juzhang, marcandre.lureau, michen, mkrcmari, qzhang, rbalakri, virt-maint
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-0.12.4-7.el7 Doc Type: Bug Fix
Doc Text:
A QEMU virtual manchine with QXL devices but no explicit VGA device will reach an assert in spice server. The lookup of channels during initialization didn't take the channel identifier value into account and assumed channel 0 always existed. By looking up the right channel, spice-server no longer asserts for the missing channel.
 Story Points: ---
Clone Of:
: 1134980 (view as bug list) Environment:
Last Closed: 2015-03-05 07:56:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1134980    

Description Sibiao Luo 2014-01-28 07:58:44 UTC 
Description of problem:
QEMU core dumped when boot guest with 4 qxl devices (spice with 4 monitors) specified 512MB.

Version-Release number of selected component (if applicable):
host info:
3.10.0-79.el7.x86_64
qemu-kvm-1.5.3-41.el7.x86_64
seabios-bin-1.7.2.2-10.el7.x86_64
seabios-1.7.2.2-10.el7.x86_64
guest info:
3.10.0-79.el7.x86_64

How reproducible:
3/3

Steps to Reproduce:
1.boot guest with 4 qxl devices (spice with 4 monitors) specified 512MB.
e.g:# /usr/libexec/qemu-kvm -M pc.....-monitor stdio -spice disable-ticketing,port=5931 -device qxl,id=video1,bus=pci.0,addr=0x7,vram_size=134217728 -device qxl,id=video2,bus=pci.0,addr=0x8,vram_size=134217728 -device qxl,id=video3,bus=pci.0,addr=0x9,vram_size=134217728 -device qxl,id=video4,bus=pci.0,addr=0xa,vram_size=134217728
2.connect with remote-viewer.
]# remote-viewer spice://localhost:5931
Gtk-Message: Failed to load module "pk-gtk-module"
Gtk-Message: Failed to load module "canberra-gtk-module"
GLib-GIO-Message: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(remote-viewer:15733): GSpice-WARNING **: incomplete link header (-104/16)

(remote-viewer:15733): GSpice-WARNING **: incomplete link header (-104/16)

(remote-viewer:15733): GSpice-WARNING **: incomplete link header (0/16)

(remote-viewer:15733): GSpice-WARNING **: incomplete link header (0/16)

Actual results:
after step 2, it cause QEMU core dumped, I will paste the core dumped bt log later.
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.607000 ms, bitrate 23540229885 bps (22449.712644 Mbps)
(/usr/libexec/qemu-kvm:15714): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Thread 8 (Thread 0x7fa4bfa24700 (LWP 15725)):
#0  0x00007fa4cac15890 in sem_timedwait () from /lib64/libpthread.so.0
#1  0x00007fa4ccf03c47 in qemu_sem_timedwait (sem=sem@entry=0x7fa4cefdfcf8, ms=ms@entry=10000) at util/qemu-thread-posix.c:238
#2  0x00007fa4ccdbc6cc in worker_thread (opaque=0x7fa4cefdfc60) at thread-pool.c:96
#3  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 7 (Thread 0x7fa4bef31700 (LWP 15726)):
#0  0x00007fa4cac15f6d in __lll_lock_wait () from /lib64/libpthread.so.0
#1  0x00007fa4cac11d31 in _L_lock_790 () from /lib64/libpthread.so.0
#2  0x00007fa4cac11c37 in pthread_mutex_lock () from /lib64/libpthread.so.0
#3  0x00007fa4ccf03859 in qemu_mutex_lock (mutex=mutex@entry=0x7fa4cd721a60 <qemu_global_mutex>) at util/qemu-thread-posix.c:57
#4  0x00007fa4ccde73a0 in qemu_mutex_lock_iothread () at /usr/src/debug/qemu-1.5.3/cpus.c:964
#5  0x00007fa4cce3d944 in kvm_cpu_exec (env=env@entry=0x7fa4cf14a2f0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1627
#6  0x00007fa4ccde5f55 in qemu_kvm_cpu_thread_fn (arg=0x7fa4cf14a2f0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#7  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#8  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 6 (Thread 0x7fa4be730700 (LWP 15727)):
#0  0x00007fa4c7914347 in ioctl () from /lib64/libc.so.6
#1  0x00007fa4cce3d805 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7fa4cf17a970, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1740
#2  0x00007fa4cce3d93c in kvm_cpu_exec (env=env@entry=0x7fa4cf17aa80) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1625
#3  0x00007fa4ccde5f55 in qemu_kvm_cpu_thread_fn (arg=0x7fa4cf17aa80) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 5 (Thread 0x7fa423fff700 (LWP 15729)):
#0  0x00007fa4c7912c8d in poll () from /lib64/libc.so.6
#1  0x00007fa4c85f77a7 in red_worker_main () from /lib64/libspice-server.so.1
#2  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 4 (Thread 0x7fa4237fe700 (LWP 15730)):
#0  0x00007fa4c7912c8d in poll () from /lib64/libc.so.6
#1  0x00007fa4c85f77a7 in red_worker_main () from /lib64/libspice-server.so.1
#2  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7fa422dff700 (LWP 15731)):
#0  0x00007fa4c7912c8d in poll () from /lib64/libc.so.6
#1  0x00007fa4c85f77a7 in red_worker_main () from /lib64/libspice-server.so.1
#2  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7fa4223ff700 (LWP 15732)):
#0  0x00007fa4c7912c8d in poll () from /lib64/libc.so.6
#1  0x00007fa4c85f77a7 in red_worker_main () from /lib64/libspice-server.so.1
#2  0x00007fa4cac0fde3 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fa4c791d25d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7fa4ccb89a00 (LWP 15714)):
#0  0x00007fa4cac1624d in read () from /lib64/libpthread.so.0
#1  0x00007fa4c8610fc1 in spice_backtrace_gstack () from /lib64/libspice-server.so.1
#2  0x00007fa4c8618907 in spice_logv () from /lib64/libspice-server.so.1
#3  0x00007fa4c8618a65 in spice_log () from /lib64/libspice-server.so.1
#4  0x00007fa4c86014d1 in reds_handle_read_link_done () from /lib64/libspice-server.so.1
#5  0x00007fa4c8600776 in spice_server_add_client () from /lib64/libspice-server.so.1
#6  0x00007fa4c86007da in reds_accept () from /lib64/libspice-server.so.1
#7  0x00007fa4ccd65cce in qemu_iohandler_poll (pollfds=0x7fa4cefafc00, ret=ret@entry=1) at iohandler.c:143
#8  0x00007fa4ccd6b3a8 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#9  0x00007fa4ccc6cd40 in main_loop () at vl.c:1988
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
Aborted (core dumped)

Expected results:
it should work well and we can find there are 4qxl devices qxl devices via "# lspci -vvv" in guest.

Additional info:
# /usr/libexec/qemu-kvm -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 2,sockets=2,cores=1,threads=1 -no-kvm-pit-reinjection -usb -device usb-tablet,id=input0 -name sluo -uuid 990ea161-6b67-47b2-b803-19fb01d30d30 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pci.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/RHEL-7.0-20140116.1_Server_x86_64.qcow2bk,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop -device virtio-scsi-pci,id=scsi1,bus=pci.0,addr=0x4 -device scsi-hd,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=on,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=00:01:02:B6:40:21,bus=pci.0,addr=0x5,bootindex=2 -device virtio-balloon-pci,id=ballooning,bus=pci.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -monitor stdio -spice disable-ticketing,port=5931 -device qxl,id=video1,bus=pci.0,addr=0x7,vram_size=134217728 -device qxl,id=video2,bus=pci.0,addr=0x8,vram_size=134217728 -device qxl,id=video3,bus=pci.0,addr=0x9,vram_size=134217728 -device qxl,id=video4,bus=pci.0,addr=0xa,vram_size=134217728
Comment 1 Sibiao Luo 2014-01-28 08:00:22 UTC 
Core was generated by `/usr/libexec/qemu-kvm -S -M pc -cpu SandyBridge -enable-kvm -m 2048 -smp 2,sock'.
Program terminated with signal 6, Aborted.
#0  0x00007fa4c785c979 in raise () from /lib64/libc.so.6
(gdb) bt
#0  0x00007fa4c785c979 in raise () from /lib64/libc.so.6
#1  0x00007fa4c785e088 in abort () from /lib64/libc.so.6
#2  0x00007fa4c861890c in spice_logv () from /lib64/libspice-server.so.1
#3  0x00007fa4c8618a65 in spice_log () from /lib64/libspice-server.so.1
#4  0x00007fa4c86014d1 in reds_handle_read_link_done () from /lib64/libspice-server.so.1
#5  0x00007fa4c8600776 in spice_server_add_client () from /lib64/libspice-server.so.1
#6  0x00007fa4c86007da in reds_accept () from /lib64/libspice-server.so.1
#7  0x00007fa4ccd65cce in qemu_iohandler_poll (pollfds=0x7fa4cefafc00, ret=ret@entry=1) at iohandler.c:143
#8  0x00007fa4ccd6b3a8 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#9  0x00007fa4ccc6cd40 in main_loop () at vl.c:1988
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
(gdb) bt full
#0  0x00007fa4c785c979 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fa4c785e088 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fa4c861890c in spice_logv () from /lib64/libspice-server.so.1
No symbol table info available.
#3  0x00007fa4c8618a65 in spice_log () from /lib64/libspice-server.so.1
No symbol table info available.
#4  0x00007fa4c86014d1 in reds_handle_read_link_done () from /lib64/libspice-server.so.1
No symbol table info available.
#5  0x00007fa4c8600776 in spice_server_add_client () from /lib64/libspice-server.so.1
No symbol table info available.
#6  0x00007fa4c86007da in reds_accept () from /lib64/libspice-server.so.1
No symbol table info available.
#7  0x00007fa4ccd65cce in qemu_iohandler_poll (pollfds=0x7fa4cefafc00, ret=ret@entry=1) at iohandler.c:143
        revents = 1
        pioh = 0x7fa4cefb6b20
        ioh = 0x7fa4cefb6d60
#8  0x00007fa4ccd6b3a8 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
        ret = 1
        timeout = 4294967295
#9  0x00007fa4ccc6cd40 in main_loop () at vl.c:1988
        nonblocking = <optimized out>
        last_io = 1
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
        i = <optimized out>
        snapshot = 0
        linux_boot = 0
        icount_option = 0x0
        initrd_filename = 0x0
        kernel_filename = 0x0
        kernel_cmdline = 0x7fa4ccf69660 ""
        boot_order = 0x7fa4ccf21ca6 "cad"
        ds = <optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = <optimized out>
        opts = 0x7fa4cefae770
        machine_opts = <optimized out>
        olist = <optimized out>
        optind = 67
        optarg = 0x7fff72843789 "qxl,id=video4,bus=pci.0,addr=0xa,vram_size=134217728"
        loadvm = 0x0
        machine = 0x7fa4cd2fcb80 <pc_machine_rhel700>
        cpu_model = 0x7fff7284319c "SandyBridge"
        vga_model = 0x7fa4ccf4c71f "cirrus"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = <optimized out>
        userconfig = 156
        log_mask = <optimized out>
        log_file = 0x0
        mem_trace = {malloc = 0x7fa4ccddf3f0 <malloc_and_trace>, realloc = 0x7fa4ccddf3b0 <realloc_and_trace>, 
          free = 0x7fa4ccddf370 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = 0x0
        trace_file = 0x0
        __PRETTY_FUNCTION__ = "main"
        args = {machine = 0x7fa4cd2fcb80 <pc_machine_rhel700>, ram_size = 2147483648, 
          boot_device = 0x7fa4ccf21ca6 "cad", kernel_filename = 0x0, kernel_cmdline = 0x7fa4ccf69660 "", 
          initrd_filename = 0x0, cpu_model = 0x7fff7284319c "SandyBridge"}
(gdb)
Comment 2 Gerd Hoffmann 2014-01-28 08:13:44 UTC 
Triggers assert in spice-server -> reassigning.
Comment 3 Sibiao Luo 2014-01-28 08:15:19 UTC 
It no need to add 4 spice monitor, just for one qxl without specified any vram_size will also hit this issue.
e.g:...-monitor stdio -spice disable-ticketing,port=5931 -device qxl,id=video,bus=pci.0,addr=0x8
(qemu) main_channel_link: add main channel client
main_channel_handle_parsed: net test: latency 0.666000 ms, bitrate 23813953488 bps (22710.755814 Mbps)
(/usr/libexec/qemu-kvm:16452): Spice-ERROR **: reds.c:1464:reds_send_link_ack: assertion `link->link_mess->channel_type == SPICE_CHANNEL_MAIN' failed
Thread 5 (Thread 0x7fee350cf700 (LWP 16463)):
#0  0x00007fee402c0890 in sem_timedwait () from /lib64/libpthread.so.0
#1  0x00007fee425aec47 in qemu_sem_timedwait (sem=sem@entry=0x7fee44044c98, ms=ms@entry=10000) at util/qemu-thread-posix.c:238
#2  0x00007fee424676cc in worker_thread (opaque=0x7fee44044c00) at thread-pool.c:96
#3  0x00007fee402bade3 in start_thread () from /lib64/libpthread.so.0
#4  0x00007fee3cfc825d in clone () from /lib64/libc.so.6
Thread 4 (Thread 0x7fee2ffff700 (LWP 16464)):
#0  0x00007fee402c0f6d in __lll_lock_wait () from /lib64/libpthread.so.0
#1  0x00007fee402bcd31 in _L_lock_790 () from /lib64/libpthread.so.0
#2  0x00007fee402bcc37 in pthread_mutex_lock () from /lib64/libpthread.so.0
#3  0x00007fee425ae859 in qemu_mutex_lock (mutex=mutex@entry=0x7fee42dcca60 <qemu_global_mutex>) at util/qemu-thread-posix.c:57
#4  0x00007fee424923a0 in qemu_mutex_lock_iothread () at /usr/src/debug/qemu-1.5.3/cpus.c:964
#5  0x00007fee424e8944 in kvm_cpu_exec (env=env@entry=0x7fee441ae8f0) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1627
#6  0x00007fee42490f55 in qemu_kvm_cpu_thread_fn (arg=0x7fee441ae8f0) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#7  0x00007fee402bade3 in start_thread () from /lib64/libpthread.so.0
#8  0x00007fee3cfc825d in clone () from /lib64/libc.so.6
Thread 3 (Thread 0x7fee2f7fe700 (LWP 16465)):
#0  0x00007fee3cfbf347 in ioctl () from /lib64/libc.so.6
#1  0x00007fee424e8805 in kvm_vcpu_ioctl (cpu=cpu@entry=0x7fee441df030, type=type@entry=44672) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1740
#2  0x00007fee424e893c in kvm_cpu_exec (env=env@entry=0x7fee441df140) at /usr/src/debug/qemu-1.5.3/kvm-all.c:1625
#3  0x00007fee42490f55 in qemu_kvm_cpu_thread_fn (arg=0x7fee441df140) at /usr/src/debug/qemu-1.5.3/cpus.c:793
#4  0x00007fee402bade3 in start_thread () from /lib64/libpthread.so.0
#5  0x00007fee3cfc825d in clone () from /lib64/libc.so.6
Thread 2 (Thread 0x7fee2d7ff700 (LWP 16467)):
#0  0x00007fee3cfbdc8d in poll () from /lib64/libc.so.6
#1  0x00007fee3dca27a7 in red_worker_main () from /lib64/libspice-server.so.1
#2  0x00007fee402bade3 in start_thread () from /lib64/libpthread.so.0
#3  0x00007fee3cfc825d in clone () from /lib64/libc.so.6
Thread 1 (Thread 0x7fee42234a00 (LWP 16452)):
#0  0x00007fee402c124d in read () from /lib64/libpthread.so.0
#1  0x00007fee3dcbbfc1 in spice_backtrace_gstack () from /lib64/libspice-server.so.1
#2  0x00007fee3dcc3907 in spice_logv () from /lib64/libspice-server.so.1
#3  0x00007fee3dcc3a65 in spice_log () from /lib64/libspice-server.so.1
#4  0x00007fee3dcac4d1 in reds_handle_read_link_done () from /lib64/libspice-server.so.1
#5  0x00007fee3dcab776 in spice_server_add_client () from /lib64/libspice-server.so.1
#6  0x00007fee3dcab7da in reds_accept () from /lib64/libspice-server.so.1
#7  0x00007fee42410cce in qemu_iohandler_poll (pollfds=0x7fee44014400, ret=ret@entry=1) at iohandler.c:143
#8  0x00007fee424163a8 in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:465
#9  0x00007fee42317d40 in main_loop () at vl.c:1988
#10 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
Aborted (core dumped)
Comment 4 Sibiao Luo 2014-01-28 08:16:19 UTC 
My spice version info:
# rpm -qa | grep spice
spice-glib-0.20-7.el7.x86_64
spice-server-0.12.4-4.el7.x86_64
spice-gtk3-0.20-7.el7.x86_64
# rpm -qa | grep virt-viewer
virt-viewer-0.5.7-4.el7.x86_64

Best Regards,
sluo
Comment 5 langfang 2014-01-28 08:19:04 UTC 
Boot windows guest will hit dark screen.
Comment 6 RHEL Program Management 2014-03-22 06:08:39 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 8 Marc-Andre Lureau 2014-08-28 14:23:58 UTC 
The spice assert is solved by the following Spice server patch:

http://lists.freedesktop.org/archives/spice-devel/2013-November/015453.html

However, qemu did not register the vga display channel, so you get a "connected to display" virt-viewer info, but no actual guest display. Let's clone this bug for that.
Comment 12 errata-xmlrpc 2015-03-05 07:56:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0335.html